Editing Access control (section)

===Security risks===
[[File:Access control door wiring io module.png|thumb|right|Access control door wiring when using intelligent readers and IO module]]

The most common security risk of intrusion through an access control system is by simply following a legitimate user through a door, and this is referred to as [[Piggybacking (security)|tailgating]]. Often the legitimate user will hold the door for the intruder. This risk can be minimized through security awareness training of the user population or more active means such as turnstiles. In very high-security applications this risk is minimized by using a [[sally port]], sometimes called a security vestibule or mantrap, where operator intervention is required presumably to assure valid identification.<ref>{{Cite journal|last=Morse|first=W. D.|date=1998-08-01|title=Physical security of cut-and-cover underground facilities|osti=656762|url=https://www.osti.gov/biblio/656762|language=English}}</ref>

The second most common risk is from levering a door open. This is relatively difficult on properly secured doors with strikes or high holding force magnetic locks. Fully implemented access control systems include forced door monitoring alarms. These vary in effectiveness, usually failing from high false positive alarms, poor database configuration, or lack of active intrusion monitoring. Most newer access control systems incorporate some type of door prop alarm to inform system administrators of a door left open longer than a specified length of time.<ref>{{Cite book |last=Norman |first=Thomas L. |url=https://www.worldcat.org/oclc/891396744 |title=Integrated security systems design : a complete reference for building enterprise-wide digital security systems |date=2014 |isbn=978-0-12-800193-6 |edition=2nd |location=Oxford [England] |oclc=891396744}}</ref><ref>{{Cite book |last=Davies |first=Sandi J. |url=https://www.worldcat.org/oclc/1131862780 |title=The professional protection officer : practical security strategies and emerging trends |date=2019 |others=Lawrence J. Fennelly |isbn=978-0-12-817749-5 |edition=2nd |location=Amsterdam |pages=166–167 |oclc=1131862780}}</ref><ref>{{Cite book |last=Fennelly |first=Lawrence J. |url=https://www.worldcat.org/oclc/1144727242 |title=Handbook of loss prevention and crime prevention |date=2019 |others=Lawrence J. Fennelly |isbn=978-0-12-817273-5 |edition=6th |location=Amsterdam |pages=239 |oclc=1144727242}}</ref>

The third most common security risk is natural disasters. In order to mitigate risk from natural disasters, the structure of the building, down to the quality of the network and computer equipment vital. From an organizational perspective, the leadership will need to adopt and implement an All Hazards Plan, or Incident Response Plan. The highlights of any incident plan determined by the [[National Incident Management System (US)|National Incident Management System]] must include Pre-incident planning, during incident actions, disaster recovery, and after-action review.<ref>{{Cite web|url=http://www.nimsonline.com/nims_3_04/incident_command_system.htm |title=Incident Command System :: NIMS Online :: Serving the National Incident Management System (NIMS) Community. |date=18 March 2007 |access-date=6 March 2016 |url-status=usurped |archive-url=https://web.archive.org/web/20070318154341/http://www.nimsonline.com/nims_3_04/incident_command_system.htm |archive-date=18 March 2007 }}</ref>

Similar to levering is crashing through cheap partition walls. In shared tenant spaces, the divisional wall is a vulnerability. A vulnerability along the same lines is the breaking of sidelights.{{citation needed|date=February 2012}}

Spoofing locking hardware is fairly simple and more elegant than levering. A strong magnet can operate the solenoid controlling bolts in electric locking hardware. Motor locks, more prevalent in Europe than in the US, are also susceptible to this attack using a doughnut-shaped magnet. It is also possible to manipulate the power to the lock either by removing or adding current, although most Access Control systems incorporate battery back-up systems and the locks are almost always located on the secure side of the door. {{citation needed|date=February 2012}}

Access cards themselves have proven vulnerable to sophisticated attacks. Enterprising hackers have built portable readers that capture the card number from a user's proximity card. The hacker simply walks by the user, reads the card, and then presents the number to a reader securing the door. This is possible because card numbers are sent in the clear, no encryption being used. To counter this, dual authentication methods, such as a card plus a PIN should always be used.

Many access control credentials unique serial numbers are programmed in sequential order during manufacturing. Known as a sequential attack, if an intruder has a credential once used in the system they can simply increment or decrement the serial number until they find a credential that is currently authorized in the system. Ordering credentials with random unique serial numbers is recommended to counter this threat.<ref>{{cite web|url=http://www.clonemykey.com/blog/smart-access-control-polices-for-residential-commercial-buildings/|title=Smart access control policies for residential & commercial buildings|access-date=11 September 2017|url-status=live|archive-url=https://web.archive.org/web/20170704011005/https://www.clonemykey.com/blog/smart-access-control-polices-for-residential-commercial-buildings/|archive-date=4 July 2017}}</ref>

Finally, most electric locking hardware still has mechanical keys as a fail-over. Mechanical key locks are vulnerable to [[Lock bumping|bumping]].<ref name="Pulford2007">{{cite book|author=Graham Pulford|title=High-Security Mechanical Locks: An Encyclopedic Reference|url=https://books.google.com/books?id=7m41LA8WsvUC&pg=PA76|date=17 October 2007|publisher=Butterworth-Heinemann|isbn=978-0-08-055586-7|pages=76–}}</ref>